Cyber Incident Victim: EnergyAustralia
Date:
Sep 2022
Location:
Australia
Summary
EnergyAustralia experienced a cybersecurity breach involving unauthorized access to its My Account platform, impacting 323 residential and small business customers. The compromised data included names, addresses, email addresses, utility bills, phone numbers, and partial credit card details, though sensitive information such as passwords, banking data, and identification documents remained secure as they were not stored on the system. The automated bot-driven attack prompted immediate containment measures, including locking affected accounts, mandatory password resets with enhanced 12-character requirements, and direct customer notifications via SMS and email. The incident was reported to regulators and law enforcement, with no evidence of data exfiltration confirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 30, 2022, EnergyAustralia, Australia’s third-largest energy retailer, experienced a cybersecurity incident involving unauthorized access to its customer-facing My Account platform. The breach was detected on the same day, prompting the company to immediately take My Account offline as a precautionary measure. An investigation revealed that an automated bot attack compromised data belonging to 323 residential and small business customers. The exposed information included customer names, addresses, email addresses, electricity and gas bills, phone numbers, and the first six and last three digits of stored credit card numbers. EnergyAustralia confirmed no evidence of data exfiltration or transfer outside its systems. Sensitive identification documents such as driver’s licences or passports, along with banking details and passwords, remained secure as they were not stored on the My Account platform. No other corporate systems were affected beyond the My Account service.
EnergyAustralia initiated containment measures by locking all impacted accounts on September 30. Between October 1–2, the company conducted account reviews to finalize the scope of the breach. Affected customers received SMS and email notifications starting at 3:00 PM on October 2, instructing them to contact a dedicated support line from October 3 to restore account access. Follow-up calls were made throughout the subsequent week. The company mandated password resets for compromised accounts, enforcing a new 12-character minimum password requirement to strengthen security. EnergyAustralia reported the incident to regulatory authorities, law enforcement, and relevant government offices, providing ongoing updates as new information emerged. Chief Customer Officer Mark Brownfield publicly apologized for the breach, acknowledging the disruption while emphasizing the limited scale of the incident. The attack’s automated bot-based nature was confirmed, though no attribution or further technical details were disclosed. This incident followed high-profile breaches at other Australian entities like Optus and Medibank, underscoring broader regional cybersecurity challenges during this period.